4

My question is more in line of designing the webhook architecture with Amazon Cognito. I came up with following design after going through hasura's documentation on webhook auth. Is it feasible? Note: AWS lambda is behind API gateway with Authorization enabled.

enter image description here

Now,

  • Don't you think its overhead for app to authenticate as well as hasura for every request?
  • Can this be achieved without lambda in between hasura and cognito?
  • Can hasura provide the authentication based on user credentials to the app and webhook to verify that in the Cognito?

Thank for your feedbacks.

dina
  • 937
  • 1
  • 12
  • 29

1 Answers1

3

I have the same question as you. After trying lots of methods, I think using Hasura JWT mode is a good way and it works well without any complex configuration. Take a look at this flow:

  1. React App request the token from Cognito
  2. Cognito triggers PreTokenGeneration to add Hasura claims
  3. React App get the idToken(with Hasura claims) from Cognito

I think it will be much better to separate the auth and the data.

NOTE: Cognito hasn't support the dict type of claim value. So you should set claims_format: 'stringified_json' in Hasura jwt-secret. You can take a look at this issue: https://github.com/hasura/graphql-engine/issues/1176

FYI: * https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html * https://docs.hasura.io/1.0/graphql/manual/auth/jwt.html#

Shyu Kevin
  • 53
  • 4